Thycotic’s Cyber Security Publication

Top Tips: Extend Identity and Access Management to Protect All Privileged Accounts

April 18th, 2017

The traditional security perimeter is proving no longer an effective cyber security control and fast growing technologies like cloud, mobile and virtualization make the boundaries of an organization blurry. For many years, organizations have protected their valuable and sensitive information by building a fence around those assets. All the data following in and out of an organization was either via a single internet access point or on physical devices. That meant a traditional perimeter was an effective measure because the boundaries were known.

As long as the internet access was controlled by the data that flowed through it, it was possible to protect, monitor, and control that data. Organizations protected the internet access with firewalls, VPNs, access controls, IDS, IPS, SIEM’s, email gateways, and so forth, building multiple levels of security on the so-called perimeter. Then on physical devices, systems management and antivirus protected those systems and kept them updated with the latest security patches. This is a traditional security approach that has been used for almost 30 years, but in today’s world, it is no longer effective.

Technology has significantly changed the world. In the past 10 years, we have seen the physical boundaries of an organization almost completely disappear. This has been a result of mobility and connectivity with almost every person in an organization becoming an internet access point. With the ability to simply connect their mobile devices together and enable a personal hotspot the method of controlling the perimeter became much more difficult. At an average transfer speed of 50MB per second, a person could transfer almost 600GB of data out of an organization within a day via a connection that is not secure, nor monitored.

This leaves us with the question – what is the size of your data vaults that contain sensitive data?

This, in combination with cloud and virtualization, makes data today so much more transportable than ever before. With data moving at fast transfer rates and more cloud services allowing data to be processed and easily stored in the cloud, these changes and technological advancements forces the traditional perimeter to evolve.

If we look at all the cyber breach reports the past year – we can see it has been busy for cyber criminals with public reports stating more than 500 data breaches and more than 3 billion records exposed in 2016.

So why do we continue to see so many cyber breaches? If we look at why many of the cyber breaches in the past year have occurred it comes down to three major factors that can be categorized into human factor, identities and credentials, and vulnerabilities. With the digital social society, we are sharing more information, ultimately causing ourselves to be much more exposed to social engineering and targeted spear phishing attacks. The ultimate goal being to compromise our systems for financial fraud or to steal our identities to access the company we are entrusted with protecting. When our identities are stolen, it provides the attacker with the ease of bypassing the traditional security perimeter undetected. If the identity has access to privilege accounts they can easily carry out malicious activity that can sometimes go undetected for more than 200 days or until the malicious activity has already occurred.

In the vast majority of breaches, approximately 80% percent of cyber incidents result from stolen identities, credentials and privileged accounts which continue to be the prime target for hackers because they unlock the access required to exploit virtually any part of an organization’s network. Hacking privileged credentials can mean the difference between a simple perimeter breach and one that could lead to a cyber catastrophe. Once attackers gain access, they can escalate their privileges and move through networks to identify and compromise confidential information or use ransomware to encrypt critical business data.

In today’s world organizations can no longer rely on the traditional security perimeter as the only cyber security measure. It is ultimately important that the new cyber security perimeter is with the Identity and Access of the employee. This is the next generation security perimeter that can be effective in a world where systems and data can be located anywhere and be accessed at any time as long as the identity and access can be validated and trusted. We have seen successful implementations where even countries like Estonia have taken an approach to enable citizens and the government to be able to interact seamlessly via digital identities. This has allowed Estonian citizens to vote, bank, and file taxes from any location in the world.

It also enables Estonia to introduce the world’s first E-Resident program. Organizations can take similar approaches by embracing Identity and Access Management as the way to protect their data and systems. This can be done by taking an approach at securing the digital identities, using multifactor authentication, securing privileged access and data, and continuously checking the reputation and behavior of those identities. This ultimately moves the focus to the data and the system or person who needs access to it and not the so-called traditional security perimeter.

Getting Started

You can’t protect what you don’t know exists. So, before you launch into a privileged account lockdown project you need to start with mapping out how many accounts exist. Most of the time organizations significantly underestimate.

Administrator on Windows and root on Linux are just the beginning. Let’s think about a web application farm running some off the shelf software package. Let’s say there are three web servers and two database servers. One OS root/admin account per system is a given. Next, there’s the DB super user account such as “sa” on SQL Server. Then, if the application is running on Windows/IIS there are:

• Service accounts for the DB
• Service accounts for the application
• AppPool identities
• Accounts used by the application to access the database

And don’t forget the hardware level accounts used for logging on to the motherboard itself for remote maintenance and control. These should all be considered privileged accounts.

An effective policy and approach on Identity and Access management can help a company accelerate new technology adoptions and at the same time help avoid becoming the next victim of cybercrime.

Where can you start to get ahead? Here’s a list to get you in the right direction:

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.